https://bugzilla.suse.com/show_bug.cgi?id=1213721 Bug ID: 1213721 Summary: [SELinux] <topic> Classification: openSUSE Product: openSUSE Tumbleweed Version: Current Hardware: Other OS: Other Status: NEW Severity: Normal Priority: P5 - None Component: Security Assignee: security-team@suse.de Reporter: jbohac@suse.com QA Contact: security-team@suse.de Target Milestone: --- Found By: --- Blocker: --- The new versions of kdump (since v1.9.0) save the initrd in /var/lib/kdump/initrd and maintain a symlink to the kernel the initrd has been build for in /var/lib/kdump/kernel. E.g.: dhcp198:~ # ls -lZ /var/lib/kdump/ total 35476 -rw-------. 1 root root system_u:object_r:kdump_var_lib_t:s0 36322984 Jul 27 14:28 initrd lrwxrwxrwx. 1 root root system_u:object_r:kdump_var_lib_t:s0 40 Jul 27 14:28 kernel -> /usr/lib/modules/6.3.9-5-default/vmlinuz SELinux blocks the following of the symlink during kdump service start. audit2allow suggests: allow kdump_t kdump_var_lib_t:lnk_file read; To me (a comlete SELinux noob) this makes sense and indeed creating and loading a module with audit2allow -M kdump-fix < /var/log/audit/audit.log semodule -i kdump-fix.pp fixes the problem. Operating System: openSUSE MicroOS SELinux status, mode and policy name: <TODO> SELinux status: enabled SELinuxfs mount: /sys/fs/selinux SELinux root directory: /etc/selinux Loaded policy name: targeted Current mode: enforcing Mode from config file: enforcing Policy MLS status: enabled Policy deny_unknown status: allowed Memory protection checking: actual (secure) Max kernel policy version: 33 SELinux policy version and repository: <TODO> dhcp198:~ # rpm -qa|grep selinux-pol selinux-policy-20230622-2.1.noarch selinux-policy-targeted-20230622-2.1.noarch The software (incl. version) that is affected by the SELinux issue and the error message: kdump SELinux Audit log: dhcp198:~ # ausearch -ts today -m avc ---- time->Thu Jul 27 14:26:15 2023 type=PROCTITLE msg=audit(1690467975.028:134): proctitle=2F7362696E2F6B65786563002D70002F7661722F6C69622F6B64756D702F6B65726E656C002D2D617070656E643D2072642E74696D656F75743D36302072642E72657472793D34352071756965742073797374656D642E73686F775F7374617475733D79657320636F6E736F6C653D74747953302C31313532303020636F6E73 type=SYSCALL msg=audit(1690467975.028:134): arch=c000003e syscall=257 success=no exit=-13 a0=ffffff9c a1=7ffd0d633da7 a2=0 a3=0 items=0 ppid=4833 pid=4834 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="kexec" exe="/usr/sbin/kexec" subj=system_u:system_r:kdump_t:s0 key=(null) type=AVC msg=audit(1690467975.028:134): avc: denied { read } for pid=4834 comm="kexec" name="kernel" dev="sda3" ino=48130 scontext=system_u:system_r:kdump_t:s0 tcontext=system_u:object_r:kdump_var_lib_t:s0 tclass=lnk_file permissive=0 ---- time->Thu Jul 27 14:26:15 2023 type=PROCTITLE msg=audit(1690467975.032:135): proctitle=2F7362696E2F6B65786563002D70002F7661722F6C69622F6B64756D702F6B65726E656C002D2D617070656E643D2072642E74696D656F75743D36302072642E72657472793D34352071756965742073797374656D642E73686F775F7374617475733D79657320636F6E736F6C653D74747953302C31313532303020636F6E73 type=SYSCALL msg=audit(1690467975.032:135): arch=c000003e syscall=257 success=no exit=-13 a0=ffffff9c a1=7ffc2c117daa a2=0 a3=0 items=0 ppid=4835 pid=4836 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="kexec" exe="/usr/sbin/kexec" subj=system_u:system_r:kdump_t:s0 key=(null) type=AVC msg=audit(1690467975.032:135): avc: denied { read } for pid=4836 comm="kexec" name="kernel" dev="sda3" ino=48130 scontext=system_u:system_r:kdump_t:s0 tcontext=system_u:object_r:kdump_var_lib_t:s0 tclass=lnk_file permissive=0 ---- time->Thu Jul 27 14:26:15 2023 type=PROCTITLE msg=audit(1690467975.032:136): proctitle=2F7362696E2F6B65786563002D70002F7661722F6C69622F6B64756D702F6B65726E656C002D2D617070656E643D2072642E74696D656F75743D36302072642E72657472793D34352071756965742073797374656D642E73686F775F7374617475733D79657320636F6E736F6C653D74747953302C31313532303020636F6E73 type=SYSCALL msg=audit(1690467975.032:136): arch=c000003e syscall=257 success=no exit=-13 a0=ffffff9c a1=7ffc2c117daa a2=0 a3=0 items=0 ppid=4835 pid=4836 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="kexec" exe="/usr/sbin/kexec" subj=system_u:system_r:kdump_t:s0 key=(null) type=AVC msg=audit(1690467975.032:136): avc: denied { read } for pid=4836 comm="kexec" name="kernel" dev="sda3" ino=48130 scontext=system_u:system_r:kdump_t:s0 tcontext=system_u:object_r:kdump_var_lib_t:s0 tclass=lnk_file permissive=0 -- You are receiving this mail because: You are on the CC list for the bug.